Threat of the Week: Mobile Deposit Fraud Set to Cross the Line

Sides are being taken, lines are getting drawn over whether – or not – there has been an explosion in mobile remote deposit capture fraud.

The latest salvo in the fight: A survey of a couple hundred financial institutions (including 44 credit unions) by RemoteDepositCapture.com that found that 80% say they have suffered no losses due to MRDC.

“Losses are extremely slim,” RemoteDepositCapture.com CEO John Leekley said in an interview.

On the other side of this divide is Citibank senior vice president Brian Todd who, at the April NACHA conference, said on a panel that Citi had been seeing substantial growth in MRDC fraud.

Todd suggested, although he offered few details, that knowledgeable criminals were exploiting time lags and loopholes in check clearing processes, in order to effect multiple deposits of the same check image across multiple accounts and institutions. He left the audience with the suggestion that MRDC fraud was just in its early stages, that more is sure to come.

Who’s right – Leekley or Todd?

Obviously, both are telling the truth as they see it.

But dig into MRDC fraud and it becomes plain that in fact fraud in the channel is on the rise. Said Julie Conroy, an MRDC expert with Aite Group in Boston: “I’ve heard (MRDC fraud is up) from a number of FIs. Criminals are figuring out that banks don’t have visibility into duplicate deposits and they are capitalizing on it. The absolute numbers are still small in comparison to other types of fraud, but it’s happening, and FIs are looking for solutions.”

Added Tom DeSot, CIO of Digital Defense in San Antonio, “You will see the incidence of MRDC fraud go up. It will be in the news more.”

More on that momentarily, but, first, what about the low fraud incidence reported by RemoteDepositCapture.com?

Questions may be justifiably raised about the RemoteDepositCapture.com survey design. Asking financial services executives to disclose the extent of losses their institution has suffered – and compelling them to give their name and details – makes it unlikely that many would ‘fess up.

“With sensitive questions like that, to maximize accurate and honest response, it's best to make the responses anonymous,” said Bernadette Wright, director of research and evaluation at Meaningful Evidence LLC in Falls Church, Va.

Ron Sellers, who runs Grey Matter Research and Consulting in Phoenix, added that what he called “response bias” is an easy way to ruin a survey’s validity. He elaborated, “If you know there is no fraud in your institution, there’s no reason for you not to respond. If you have concerns about fraud or know it to be present in your institution, you’re unlikely to complete the survey (people are more likely to skip it entirely than to lie throughout it). Now you’re left with a non-representative sample that purports to represent the entire industry but actually misrepresents it.”

Note: the survey design experts commented on a hypothetical scenario. None reviewed the RemoteDepositCapture.com survey in any detail.

Maybe the RemoteDepositCapture.com survey results were in fact totally representative of what’s occurring in the real world. But what also may be happening is that criminals are now waking up to the reality that MRDC is a potential gold mine because of structural inadequacies in financial services’ check processing.

Read more: A failure to communicate ...

A fundamental problem: even within one institution, the many check processing systems – from teller windows to MRDC – do not necessarily talk well with one another, said Wes Wilhelm, risk and fraud management expert at New York-based security firm NICE Actimize.

When multiple institutions are involved, forget about it: “There is no way to do real-time detection, the technology just isn’t there yet for detecting duplicates at multiple FIs,” said Jackie Marshall, director of IT regulatory compliance at Alpharetta, Ga.-based Gladiator Technology, part of Jack Henry’s ProfitStars group.

Loopholes in duplicates detection are not the only target for criminals. Just when you thought it was bad, the situation gets much worse.

Michael Alfonsi, a vice president at business processing outsourcing firm BancTec in Irving, Texas, said criminals increasingly are on the hunt for large stores of check images which, he said, frequently are kept in insecure environments and unencrypted.

Find a way to penetrate one of those storehouses – most financial institutions and/or their vendors have one – and, suddenly, tens of thousands of images are at hand and the criminal gang can get busy re-depositing them.

He added: “I don’t have a sense [financial services executives] are pulling their hair out over losses, but they are worried about the trends.”

Richard Moffitt, senior director of systems engineering at security company Kaspersky Lab in Woburn, Mass., said he was unaware of any successful penetrations of check image caches, but he added, “It is something that is possible if a financial institution does not implement proper security. To protect themselves from these types of attacks, we recommend conducting a risk assessment to determine vulnerabilities and then choose which security measures should be implemented on both the banking side and end-user side to prevent these types of attacks.”

Experts insisted both of these issues are solvable. Better, tighter security – and use of encryption – for stored check images would up the ante for hackers.

And better, faster duplicate detection and much better communication amongst banking channels and across institutions would go far towards plugging the present check clearing loopholes. Ask the experts and just about all are optimistic.

But most agree: Actions need to be taken, soon, to batten down MRDC – before this turns into a digital badlands for thieves.

And a big step towards getting there starts with acknowledging there is a fraud problem and it is worsening.